Sizing Botnets No Exact Science

After leading a concerted effort shut down the notorious Mega-D botnet (aka Odzok), researchers with FireEye are trying to estimate the size of the massive fleet of zombie machines, which is an interesting art in and of itself.

After doing some detailed research into the operation of Mega-D, which was known for its ability to shift its C&C infrastructure rapidly to stay ahead of attempts to cut it off, FireEye engaged in an aggressive effort to work with ISPs and other important players to shut the whole thing down.

Now, having apparently done so, researchers with the company are trying to understand just how large Mega-D might have been by tracking the sheer number of IPs that are still trying to connect with the botnet despite the fat that its head has effectively been chopped off.

By directing any IPs trying to call back to Mega-D for instructions to a central locations, or "sinkholes", the experts are watching with wonder as the hits role in and trying to chart the reach of the botnet by measuring the rate of activity.

"After about 5 days we saw 487,430 unique IP addresses connecting to us. It's difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are," writes Todd Rosenberry of FireEye Malware Intelligence Lab in a blog post.

From a regional standpoint, machines in Brazil accounted for the biggest share of Mega-D, coming in at 11.5 percent of all attempted connections, followed closely by India and Vietnam. Other countries known for their frequent involvement in such attacks including China and the USA had far less involvement in the botnet, based on the study, falling at no.s 16 and 17 on the ranking by nation, respectively.

Overall, FireEye estimates that machines in 214 countries had been swept up by the zombie network, although the top three nations had far more infected devices than any others, the anti-malware company said.

One of the reasons that it remains challenging to scope the size of such botnets is because by counting the involved IPs you only get a small fraction of the machines that might be looped in, or many cases you get far more IPs, based on the fact that there are likely multiple machines behind a lot of the addresses and that the bots are constantly moving around to new IP addies to avoid detection.

However, by comparing its own research to that of UCSB researchers who infiltrated the Torpig botnet to its own research figures, FireEye does have some metrics for purposes of comparison.

For instance, over the course of 10 days, the UCSB researchers tracked 1,247,642 unique IPs and roughly 182,800 unique bots related to Torpig. By comparison, the highest rate of attempts to connect back to Mega-D in a single day was 48,785 active bots.

When compared to the Srizbi botnet, which FireEye went after roughly a year ago, Mega-D also seems pretty sizeable. Using the metric of how many unique bots were involved in the campaign, FireEye found that while 44 percent of the connections it traced back to Srizbi appeared to be unique, the number was 51 percent for Mega-D.

By comparing the total number of IPs related to Mega-D (487,430) to that figure of 51 percent, FireEye estimates that Mega-D could have encompassed roughly 250,000 endpoints.

The researchers admit the entire approach and results need to be taken with a grain of salt, but, at least we're finally getting an idea of how pervasive these infected networks may be.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.